Overview

Notes

Why doesn’t the title of my group, that I set in the ZODB, show up?
The title for a group comes from the properties plugin. The info
in the groups plugin isn’t used, except for the name.

The value of the ‘title’ property on the portal_groupdata or
portal_memberdata tools themselves (as opposed to the group or
member data records within them) will not be used as a default for
the title of the group or member. This is to prevent UI confusion if
a title is set without realizing the implications. To remove this
special case, see ‘plugins.property._getDefaultValues’.

If PAS caching is enabled (see the “Cache” tab) and the cache
manager does not have a ‘cleanup’ method (RAMCacheManager has one),
then changes to the memberdata schema will not effect users already
cached. In this case, restart the server or clear the cache (if
possible) for the changes to take effect.

Similarly, changes to the memberdata schema will not propagate to
member objects already in use. If you have a memberdata object and
change the memberdata properties you must re-construct the member by
saying portal_membership.getMemberById again. See
‘tests.test_properties.test_user_properties’ for example.

By default, logout from users signed in under HTTP Basic Auth cannot
log out. If you enable the “Credentials Reset” plugin for the HTTP
Basic plugin, the logout for cookies will no longer work. However,
this is not a problem if you’re not using cookies.

Implementation

In some places, PlonePAS acts as an adaptor to make PAS provide
enough of GRUF’s interface to satisfy Plone. All the monkey patches
in pas.py, for instance, extend PAS with expected methods.

PlonePAS also modifies Plone to work with PAS by providing
partially-new implementations of several tools. In the tools/
directory you can see new tools for groups and members, as well as
the utils tool.

It also provides extra capabilities for PAS needed by plone, such as
mutable property sheets, local role calculation, creation of group
objects, and more.

4.0.4 - 2011-01-03

The code to search by id in mutable_properties.enumerateUsers didn’t work at
all, an exception was always raised and it was actually a good thing.
We tried to implement it in 3.10 and we had strange listing in Plone UI. Then
we reverted it in the next version so the behavior was backward compatible
with previous versions.
If we allow search by id, we can potentially break other part of the code. For
example acl_users/portal_role_manager/manage_roles will break because
Products.PluggableAuthService.plugins.ZODBRoleManager.listAssignedPrincipals
raises MultiplePrincipalError, and maybe it will break somewhere else.
Versions 4.0.4 and 3.13 use now the same algorithm.
References http://dev.plone.org/plone/ticket/9361
[vincenfretin]

In Plone 4.1+, create a Site Administrators group with the new Site
Administrator role.
[davisagli]

Fix critical error on groupprefs page
when some groups have a non-ascii character in their title.
Sort groups on their title normalized.
This fixes http://dev.plone.org/plone/ticket/11301
[thomasdesvenain]

4.0 - 2010-07-18

Make VirtualGroup inherit from PropertiedUser so it gets wrapped correctly.
Have getGroupsForPrincipal not return the AutoGroup as a member of itself.
Closes http://dev.plone.org/plone/ticket/10568.
[cah190]

PluggableAuthService expects a list of group ids from getGroups, don’t pass a
list of wrapped groups instead.
[cah190, esteele]

Added a custom IMembershipTool interface to PlonePAS extending the base one
from CMFCore. It adds the getMemberInfo method to the mix. This closes
http://dev.plone.org/plone/ticket/10240.
[hannosch]

4.0b9 - 2010-06-03

Fixed a test to no longer use removed Large Plone Folder type.
[davisagli]

4.0b8 - 2010-05-01

Removed special unauthorized view workaround, after the underlying issue
has been fixed in Zope2.
[davisagli, hannosch]

AutoGroup now implements IPropertiesPlugin to return group title and description.
[erikrose, esteele]

GroupsTool’s getGroupsForPrincipal and getGroupMembers now return a list
made up of groups/members from all responding plugins instead of just the
first responder.
[erikrose, esteele]

Remove GroupData’s _gruf_getProperty method, move remaining functionality
into getProperty. getProperty now searches for properties in the following
places: property sheets directly on the group object, PAS
IPropertyProviders, portal_groupdata properties, and attributes on its
GroupData entry. It returns the first piece of data found.
Closes http://dev.plone.org/plone/ticket/9828
[erikrose, esteele]

4.0a1 - 2009-11-14

Simplified pas_member view. Also return info when no member
with the requested id exists, so this can be safely used also to get
“member info” for deleted members.
[maurits]

Added new pas_member view, which provides easy access to the membership
tools getMemberInfo method but caches the result on the request.
[hannosch]

Changed the default value of memberareaCreationFlag for the membership
tool to False, as it was done during Plone site creation so far.
[hannosch]

Removed patch on ZODBUserManager.enumerateUsers which was introduced
historical because of a former missing release of PluggableAuthService 1.5.
This now superfluous patch also reduced the functionality of the
patched method and introduced different behavior compared to i.e in
a similar method on LDAPMultiPlugins. For details on the former
patch see:
http://dev.plone.org/collective/changeset/41512/PlonePAS/trunk/pas.py
[jensens]

Moved a couple DTML files here from CMFPlone that got left out of the earlier
refactoring.
[davisagli]

Added a view of the Unauthorized exception which re-raises that exception
in order to make sure that it triggers PAS’ challenge plugin rather than
rendering the standard_error_message.
[davisagli]

Removed deprecation warnings for various methods. These never happened.
[hannosch]

Removed half-done ZCacheable caching for users and groups.
[hannosch]

Removed the CMFDefault dependency of the membership tool. We only need the
CMFCore functionality.
[hannosch]

PlonePAS.gruf_support.authenticate method was not breaking out of
the loop upon successful authenticateCredentials.
[runyaga]

Changed objectIds and objectValues calls to use the IContainer API.
[hannosch]

3.12 - 2009-10-16

Fixed the performance fix again. enumerateUsers from mutable_properties
plugin should return all the users if kw is empty. And it returns empty
tuple if login or id parameter is used.
[vincentfretin]

3.11 - 2009-10-05

Revert performance fix introduced in 3.10 for the mutable properties plugin.
enumerateUsers shouldn’t return results if id or login is not None like in
3.9 (data dict doesn’t contain id or login key, so testMemberData returns
always False). The search should be performed only if kw parameter is not
empty. This is the new optimization fix.
[vincentfretin]

3.10 - 2009-09-06

Performance fix for searching in the mutable properties plugin:
when only searching on user id do not walk over all properties,
but only test if the user id is known. This fixes
http://dev.plone.org/plone/ticket/9361
[toutpt]

3.8 - 2009-02-13

Update the role manager’s assignRoleToPrincipal method to lazily
update the cached list of portal roles. This fixes problems with
adding users with GenericSetup-created roles.
[wichert]

Fixed our OrderedDict to be unpickable with pickle protocol 2. On
unpickling a __init__ method is not called and an optimization in
protocol 2 would call __setitem__ without the _list to be initialized.
Even using a __getstate__ / __setstate__ combination wouldn’t work
around that. This change was found in using membrane and
MemcachedManager.
[hannosch, tesdal]

3.7 - 2008-09-28

Removed deprecation zcml statements for PluggableAuthService components:
these are now in PluggableAuthService itself.
[wichert]

Adjusted deprecation warnings to point to Plone 4.0 instead of Plone 3.5
since we changed the version numbering again.
[hannosch]

3.6 - 2008-06-25

Modify PloneGroup.getMemberIds to use all IGroupIntrospection plugins
to get the group members. This makes it possible to list members in
an LDAP group.
[wichert]

3.5 - 2008-06-25

Make PASSearchView.merge actually merge search results. Its previous
behaviour was quite nasty: it preferred search results from the
enumeration plugin with the lowest priority!
[wichert]

3.1 - 2007-10-08

Updating the roles for a group did not invalidate the _findGroup cache.
[wichert]

Fixed some tool icons to point to existing icons.
[hannosch]

3.0 - 2007-08-16

Fix check for authenticateCredentials return value
[rossp]

3.0rc2 - 2007-07-27

Fake a getPhysicalPath on our search view so ZCacheing works properly
everywhere.
[wichert]

Add event classes for logged-in and logged-out events.
[wichert]

3.0rc1 - 2007-07-08

Correct logic in MemberData capability methods: any plugin is
allowed to (re)set a password, delete the user or add roles.
[wichert]

Use the proper API to get the containing PAS in the group plugin
[wichert]

Fix setting user properties on the user object.
[wichert]

3.0b7 - 2007-05-05

Removed the five:registerPackage statement again. It causes problems in a
ZEO environment.
[hannosch]

Removed our version of the Plone tool from ToolInit. It won’t get an icon
anymore and you cannot add it, but existing instances still work. We
migrate all instances back to the regular tool anyways.
[hannosch]

3.0b6 - 2007-05-05

Fixed two migration related test failures.
[hannosch]

Spring cleaning, removed some cruft, pyflaked and corrected some more
undefined names.
[hannosch]

3.0-beta5 - 2007-05-02

Modify the roles plugin to lazily update its roles list from the portal.
[wichert]

Filter duplicate search results.
[laz, wichert]

Add a sort_by option to the search methods to allow sorting of results
by a property.
[laz, wichert]

Modify login method for the cookie plugin to perform the credential
update in the PAS of the user instead of the PAS of the plugin. This
helps in making sure that users will only authenticate against their
own user folder, so we get all their roles, properties, etc. correctly.
[wichert]

Update installation logic to use plone.session for cookies
[wichert]

Add pas_info and pas_search browser views.
[wichert]

Deprecate the PlonePAS PloneTool; its changes have been merged in the
standard Plone version.
[wichert]

Use getUtility to get the portal object.
[wichert]

Deprecate user and group searching through CMF member and group tools
in favour of PAS enumeration.
[wichert]

Refactor user searching in the membership tool to use standard PAS
searches.
[wichert]

Add a new automatic group plugin which puts all users in a virtual
group. This is useful for permissions handling: since it is not
possible to add roles to users with the Authenticated role a
virtual group can be used instead.
[wichert]

Added support to import PloneUserFactory and added stub
for ZODBMutableProperties. Attention: Latter needs a real
export and import! At the moment it do not export the
propertysheets. This is a TODO. At least with this two
additions PlonePAS import runs. Additional I needed to
hack PluginRegistry and and PluggableAuthService slightly.
[jensens]

Added HISTORY.txt and updated version information.
[hannosch]

2.4 - 2007-04-15

Optomise the local roles plugin for the common case where
local_roles is empty
[dreamcatcher]

the plone user was assuming a one to one mapping between property plugin
and user property sheet, and stripping away additional ones as part of
the retrieval of ordered sheets, instead, it now stores all
propertysheets in an ordered dictionary, so this assumption is not needed
[k_vertigo]

More postonly security changes
[alecm, ramon]

2.3 - 2007-05-30

Use a local postonly decorator so PlonePAS can be used with Plone
2.5, 2.5.1 and 2.5.2.
[wichert]

Protect the tools with postonly security modifiers.
[mj]

Update GRUF compatibility functions to use the same security checks
as GRUF itself uses.
[mj]